Under 15% of noncompliant companies implemented automated or manual CCPA/CPRA compliance methods in the last year, a study found.
Businesses are dragging their feet to get compliant with CCPA and CPRA regulations, a study by data privacy compliance company CYTRIO found. Only 14.67% of the 600 mid-to-large companies included in the study that were non-compliant a year ago have become compliant since then.
Additionally, 13.33% of the total non-compliant companies adopted a manual compliance routine versus implementing an automated system (1.33%).
The California Privacy Rights Act (CPRA) expands on the California Consumer Privacy Act (CCPA) and went into effect at the beginning of 2023. However, a provision in the act delayed enforcement until July 1, 2023.
“CCPA and CPRA are furthest along among the U.S. data privacy laws, but even CCPA/CPRA is not actively enforced, resulting in very low compliance,” said Vijay Basani, founder and CEO of CYTRIO.
B2B/B2C breakdown. CCPA and CPRA require compliance from both B2B and B2C marketers.
Here’s a breakdown of compliance among the two cohorts:
- 5.33% of B2C companies moved from manual compliance to automated solutions.
- 12.67% of B2C companies moved from non-compliant to manual compliance.
- 8% of B2B companies moved from manual compliance to automated solutions.
- 14% of B2B companies moved from non-compliant to manual compliance.
Interactive tool for consumers. California’s Attorney General Rob Bonta launched a Consumer Privacy Interactive Tool that allows consumers to easily send notice to non-compliant companies.
Currently, the tool focuses on a specific case — when marketers fail to post an easy-to-find Do Not Sell My Information link on their website. Plans to expand the tool to other rights under CCPA and CPRA add incentives for marketers to comply.
“Easy-to-find Do Not Sell My Information is just a start,” said Basani. “Unless we get to an environment where there is active and frequent enforcement across companies of all sizes and industries, there is very little incentive for companies to comply with data privacy laws in the U.S.”
He added, “It is also important to not only focus on Do No Sell My Information, regulators must focus on making sure companies are implementing Privacy UX tools such as Privacy Notices, legally compliant Cookie Consent Banners, providing consumers the ability to edit or change their preferences, and providing consumers with the ability to exercise their data privacy rights.”
Why we care. Basani estimates that 39% of companies overall have deployed a manual compliance solution, and 9% have put in place an automated solution. That leaves over half of organizations still playing catch-up in a more regulated environment that includes legislation in Virginia, Colorado and other states.